Exploiting vulnerability in routers to redirect users to false pages of banks

The computer security company ESET warns that several home routers were violated with the aim of stealing bank data from Users. Brazil, Bolivia and Argentina are among the countries most affected by this CAMPAIGN.

ESET, a leader in proactive threat detection, analyzes a campaign that violates home routers by intercepting the traffic of users and redirect them to fake sites that supplant the identity of several banks in order to steal their data. Brazil, Bolivia and Argentina are in the top three of the countries most affected by this CAMPAIGN.

The number of models of Routers/firmware attacked exceeds 70 and are more than 100,000 the domestic routers that were intervened by the attackers to redirect the Traffic. Among them, there are some models of brands such as D-link, TP-link, Kaiomy, Huawei, Tenda, Ralink and MikroTik.

Brazil is the country with the highest number of victims with nearly 91,605 of the affected Home-use routers (equivalent to 88% of the devices); Followed by Bolivia with 7,644 and Argentina with 2,581, among the three major countries. As for deception, there are more than 50 domains whose identity was supplanted and most involve well-known banks operating in the South American Country.

The operation of the campaign is based on tracing the IP space of Brazil in search of routers that have weak passwords to access them and replace the legitimate DNS configuration with IP addresses of DNS servers that are under their control.”, clarifies Camilo Gutierrez, Head of the Research Laboratory of ESET Latin AMERICA. These modifications redirect DNS queries that pass through the infringed devices to the compromised DNS server, which contains a list of 52 phishing pages that supplant the identity of legitimate sites (mainly from banks), with the Objective of stealing the access credentials of the victims. In addition to financial institutions the campaign also includes hosting or streaming services sites like Netflix, among others.

Some of the financial institutions whose identity was supplanted were: Bradesco, Itaú, Banco do Brasil, Caixa or Citibank, among others. “It is important to note that this is not a vulnerability or failure in the websites of these institutions, but it is a vulnerability exploited in Home-use routers.”, Gutierrez adds.

The company Netlab 360 informed several Internet providers about the incident, as well as Google, and the vast majority of these false sites were already discharged.